Contents
Overview 1
Introduction to the Role of DNS in Active
Directory 2
DNS and Active Directory 3
DNS Name Resolution in Active Directory 7
Active Directory Integrated Zones 16
Installing and Configuring DNS to
Support Active Directory 17
Lab A: Installing and Configuring DNS
to Support Active Directory 22
Best Practices 29
Review 30
Module 2: Implementing
DNS to Support Active
Directory
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2000 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, BackOffice, FrontPage, IntelliMirror, PowerPoint, Visual Basic,
Visual Studio, Win32, Windows, Windows Media, and Windows NT are either registered
trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.
The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Project Lead: Mark Johnson
Instructional Designers: Aneetinder Chowdhry (NIIT (USA) Inc.),
Bhaskar Sengupta (NIIT (USA) Inc.)
Lead Program Manager: Paul Adare (FYI TechKnowlogy Services)
Program Manager: Gregory Weber (Volt Computer Services)
Technical Contributors: Jeff Clark, Chris Slemp
Graphic Artist: Julie Stone (Independent Contractor)
Editing Manager: Lynette Skinner
Editor: Jeffrey Gilbert
Copy Editor: Kaarin Dolliver (S&T Consulting)
Testing Leads: Sid Benavente, Keith Cotton
Testing Developer: Greg Stemp (S&T OnSite)
Courseware Test Engineers: Jeff Clark, H. James Toland III
Online Program Manager: Debbi Conger
Online Publications Manager: Arlo Emerson (Aditi)
Online Support: David Myka (S&T Consulting)
Multimedia Development: Kelly Renner (Entex)
Courseware Testing: Data Dimensions, Inc.
Production Support: Irene Barnett (S&T Consulting)
Manufacturing Manager: Rick Terek
Manufacturing Support: Laura King (S&T OnSite)
Lead Product Manager, Development Services: Bo Galford
Lead Product Managers: Gerry Lang, Julie Truax
Group Product Manager: Robert Stewart
Module 2: Implementing DNS to Support Active Directory iii
Instructor Notes
This module provides students with the knowledge and skills to implement a
Domain Name System (DNS) infrastructure in preparation for installing
Microsoft
®
Windows
®
Active Directory
™
directory service. Students will learn
about the roles of DNS in an Active Directory network, and about DNS and
Active Directory namespaces. This module explains the process of DNS name
resolution in Active Directory, and describes how to configure Active Directory
to manage DNS zones. Students will also learn how to install and configure
DNS to support an Active Directory installation.
At the end of this module, students will be able to:
!
Describe the role of DNS in an Active Directory network.
!
Describe the similarities and differences between the DNS namespace and
the Active Directory namespace.
!
Describe how client computers locate domain controllers in Windows 2000.
!
Install and configure DNS to support an installation of Active Directory.
!
Apply best practices for setting up DNS to support an installation of Active
Directory.
In the hands-on lab in this module, students will have the opportunity to install
and configure DNS in preparation for installing Active Directory.
Materials and Preparation
This section provides you with the required materials and preparation tasks that
are needed to teach this module.
Required Materials
To teach this module, you need the following materials:
• Microsoft PowerPoint
®
file 2154A_02.ppt
Preparation Tasks
To prepare for this module, you should:
!
Read all of the materials for this module.
!
Complete the lab.
!
Study the review questions and prepare alternative answers to discuss.
!
Anticipate questions that students may ask. Write out the questions and
provide the answers.
!
Read the topics related to Active Directory and DNS domain names in
chapter 1, “Active Directory Logical Structure”
in the Distributed Systems
book in the Microsoft Windows 2000 Server Resource Kit.
!
Read chapter 3, “Name Resolution in Active Directory”
in the Distributed
Systems book in the Microsoft Windows 2000 Server Resource Kit.
!
Read the white paper, Active Directory Architecture, on the Student
Materials compact disc.
Presentation:
45 Minutes
Lab:
30 Minutes
iv Module 2: Implementing DNS to Support Active Directory
Module Strategy
Use the following strategy to present this module:
!
Introduction to the Role of DNS in Active Directory
In this topic, you will introduce the role of DNS in Active Directory.
Describe how DNS is integrated with Active Directory. Discuss the primary
functions that DNS provides in an Active Directory network.
!
DNS and Active Directory
In this topic, you will introduce DNS and Active Directory namespaces,
DNS host names, and Windows 2000 computer names. First, explain the
relationship between the DNS namespace and the Active Directory
namespace. Emphasize how DNS can be used to locate computers that
perform specific roles in an Active Directory domain by integrating the
DNS and Active Directory namespaces. Next, point out that computers and
domains have a DNS name and an Active Directory name. Explain that the
DNS host name for a computer is the same name as that used for the
computer account that is stored in Active Directory.
!
DNS Name Resolution in Active Directory
In this topic, you will introduce DNS name resolution in Active Directory.
Discuss how DNS is used to locate a Windows 2000 domain controller.
Explain that Windows 2000 uses DNS SRV (service) resource records to
locate domain controllers, and describe the format of an SRV record.
Identify the SRV records registered by domain controllers during startup,
and present information on how computers use DNS to locate domain
controllers.
!
Active Directory Integrated Zones
In this topic, you will introduce Active Directory integrated zones. Describe
how to configure Active Directory to manage DNS zones, and discuss the
benefits of Active Directory integrated zones.
!
Installing and Configuring DNS to Support Active Directory
In this topic, you will introduce installing and configuring DNS to support
Active Directory. First, discuss the DNS requirements for Active Directory.
Next, present information on how to install and configure the DNS Server
service in preparation for installing Active Directory. Finally, explain how
the Active Directory Installation wizard installs and configures DNS.
!
Lab A: Installing and Configuring DNS to Support Active Directory
Prepare students for the lab in which they will implement a DNS
infrastructure that will support an installation of Active Directory. Students
will install the DNS Server service, create forward and reverse lookup
zones, enable dynamic update, and test DNS by using the nslookup
command. After students have completed the lab, ask them if they have any
questions.
!
Best Practices
Present best practices for implementing DNS to support Active Directory.
Emphasize the reason for each best practice.
Module 2: Implementing DNS to Support Active Directory v
Customization Information
This section identifies the lab setup requirements for the module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for course 2154A, Implementing and
Administering Microsoft Windows 2000 Directory Services.
Lab Setup
There are no lab setup requirements that affect replication or customization.
Lab Results
Performing the lab in this module introduces the following configuration
changes:
!
DNS is installed on all student computers.
!
The primary DNS suffix of the student computers is
computerdom.nwtraders.msft (where computer is the student’s assigned
computer name).
!
The Preferred DNS server on the student computers is set to each student’s
Internet Protocol (IP) address.
!
A forward lookup zone is created on each student computer.
!
A reverse lookup zone is created on each student computer.
!
Both the forward and reverse lookup zones are configured with dynamic
update.
Important
Module 2: Implementing DNS to Support Active Directory 1
Overview
!
Introduction to the Role of DNS in Active Directory
!
DNS and Active Directory
!
DNS Name Resolution in Active Directory
!
Active Directory Integrated Zones
!
Installing and Configuring DNS to Support Active
Directory
!
Best Practices
The integration of the Domain Name System (DNS) and Active Directory
™
directory service is a key feature of Microsoft
®
Windows
®
2000. DNS and
Active Directory use an identical hierarchical naming structure so that domains
and computers are represented both as Active Directory objects and as DNS
domains and resource records. The result of this integration is that computers in
a Windows 2000 network use DNS to locate computers that provide specific
Active Directory–related services. For example, when a user logs on from a
client computer or needs to search Active Directory for a printer or shared
folder, the client computer queries a DNS server to locate a domain controller.
Windows 2000 also supports the integration of DNS zones in Active Directory,
so that DNS primary zones can be stored in Active Directory for enhanced
security and for replication to other domain controllers.
Windows 2000 requires that a DNS infrastructure is in place or is installed
when you install Active Directory. Before you create Windows 2000 domains,
you should understand how DNS and Active Directory are integrated, how
client computers use DNS to locate domain controllers, and how to install and
configure DNS to prepare for an Active Directory installation.
At the end of this module, you will be able to:
!
Describe the role of DNS in an Active Directory network.
!
Describe the similarities and differences between the DNS namespace and
the Active Directory namespace.
!
Describe how client computers locate domain controllers in Windows 2000.
!
Install and configure DNS to support an installation of Active Directory.
!
Apply best practices for setting up DNS to support an installation of Active
Directory.
Slide Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
how DNS provides the
location service in an Active
Directory network. You will
also learn how to configure
DNS prior to installing Active
Directory.
2 Module 2: Implementing DNS to Support Active Directory
Introduction to the Role of DNS in Active Directory
!
Name Resolution
#
DNS translates computer names to IP addresses
#
Computers use DNS to locate each other on the network
!
Naming Convention for Windows 2000 Domains
#
Windows 2000 uses DNS naming standards for domain names
#
DNS domains and Active Directory domains share a common
hierarchical naming structure
!
Locating the Physical Components of Active Directory
#
DNS identifies domain controllers by the services they provide
#
Computers use DNS to locate domain controllers and global catalog
servers
DNS provides the following primary functions in an Active Directory network:
!
Name resolution. DNS provides name resolution by translating computer
names to Internet Protocol (IP) addresses so that computers can locate each
other. A computer on a Windows 2000 network sends a DNS query
containing the name of the computer it wants to locate to a DNS server. The
DNS server resolves the query by looking in its local database or by
forwarding the query to another DNS server. DNS also performs reverse
name resolution by translating IP addresses to computer names.
!
Naming convention for Windows 2000 domains. Active Directory uses DNS
naming conventions to name Windows 2000 domains. In a Windows 2000
network, the names of DNS domains and Active Directory domains share a
common hierarchical naming structure. For example, asia.contoso.msft is a
valid DNS domain name and could also be the name of a Windows 2000
domain.
!
Locating the physical components of Active Directory. DNS identifies
domain controllers by the specific services that they provide, such as
authenticating a logon request or performing an Active Directory search. A
client computer uses this service-specific information to query DNS to
locate a domain controller that provides the service.
For example, to log on to the network or to search Active Directory for
published printers or folders, a computer running Windows 2000 first must
locate a domain controller or global catalog server to process the logon
authentication or the query. The DNS database stores information about
which computers perform these roles.
Slide Objective
To introduce how DNS is
integrated with Active
Directory.
Lead-in
DNS provides a number of
important functions in a
Windows 2000 network.
Module 2: Implementing DNS to Support Active Directory 3
$
$$
$
DNS and Active Directory
!
DNS and Active Directory Namespaces
!
DNS Host Names and Windows 2000 Computer Names
The integration of DNS and Active Directory is a central feature of
Windows 2000 Server. DNS domains and Active Directory domains use
identical domain names for different namespaces. Using identical domain
names enables computers in a Windows 2000 network to use DNS to locate
domain controllers and other computers that provide Active Directory–related
services.
Slide Objective
To introduce the topics
related to the integration of
DNS and Active Directory in
Windows 2000.
Lead-in
DNS domains and Active
Directory domains use
identical domain names for
different namespaces.
4 Module 2: Implementing DNS to Support Active Directory
DNS and Active Directory Namespaces
microsoft.com
sales. microsoft.com
training. microsoft.com
training
microsoft
DNS Namespace
Active Directory Namespace
= DNS node (domain or computer) = Active Directory domain
sales
computer1
(DNS root domain)
“.”
“.”
“.”
com.
com.
com.
Internet
A namespace is a hierarchical naming structure in which the names in the
namespace can be resolved to the objects that they represent. In Windows 2000,
DNS domains and Active Directory domains have the same hierarchical naming
structure, but they represent two different namespaces because they store
different information about the same physical objects.
In the DNS namespace, zones store name information about one or more DNS
domains. A DNS zone is a contiguous portion of the domain namespace for
which a DNS server has authority to resolve DNS queries. A zone stores the
resources records for the domains and computers in that zone. Resource records
represent computers, and contain the information necessary for a DNS server to
resolve DNS queries. Note that DNS zones can store information about
computers that are joined to different Active Directory domains.
In the Active Directory namespace, Active Directory objects represent the same
domains and computers that exist as nodes in the DNS namespace. Therefore,
DNS domains and Active Directory domains share identical names.
In other words, the DNS and Active Directory namespaces use an identical
naming structure so that domains and computers can be represented both as
DNS nodes and Active Directory objects. For example, a Windows 2000
domain with a name training.microsoft.com also has a DNS domain name,
which is training.microsoft.com. The advantage of integrating the DNS and
Active Directory namespaces is that DNS can be used to locate computers that
play specific roles in an Active Directory domain.
Slide Objective
To illustrate the relationship
between the DNS
namespace and the Active
Directory namespace.
Lead-in
In Windows 2000, DNS
domains and Active
Directory domains have the
same hierarchical naming
structures.
Key Points
In the Active Directory
namespace, Active
Directory objects represent
the same domains and
computers that exist as
nodes in the DNS
namespace.
The DNS and Active
Directory namespaces use
an identical naming
structure so that domains
and computers can be
represented both as DNS
nodes and Active Directory
objects.
Module 2: Implementing DNS to Support Active Directory 5
Active Directory and the Internet
The integration of DNS and Active Directory also enables the Active Directory
domain structure to exist within the scope of the Internet namespace. This is
possible because the global DNS namespace provides the hierarchical naming
structure of the Internet. If your organization requires an Internet presence, then
it must register the DNS name that will be used as the name of the root domain
in the Active Directory domain structure.
When the root domain of your Active Directory domain structure has a DNS
domain name that is registered, then resource records in the relevant top-level
domains in the global Internet namespace point to DNS servers that are
authoritative for your root domain. For example, name servers that are
authoritative for the .com DNS database contain resource records for DNS
name servers in the root domain of microsoft.com. These resource records
enable external domains to use the Internet to find the microsoft.com domain.
Similarly, the DNS name servers in your network can contain resource records
for Internet name servers if you want to be able to locate other domains on the
Internet.
6 Module 2: Implementing DNS to Support Active Directory
DNS Host Names and Windows 2000 Computer Names
!
DNS host record and Active Directory
object represent the same physical
computer
!
DNS allows computers to locate domain
controllers within Active Directory
Active Directory
Active Directory
training.microsoft.com
Builtin
Computers
Computer1
Computer2
DNS
DNS
“.”
“.”
“.”
com.
com.
com.
sales
sales
training
training
training
computer1
computer1
computer1
microsoft
microsoft
microsoft
FQDN = computer1.training.microsoft.com
Windows 2000 Computer Name = Computer1
FQDN = computer1.training.microsoft.com
Windows 2000 Computer Name = Computer1
Because Windows 2000 integrates DNS and Active Directory, domains and
computers are represented by resource records in the DNS namespace, and by
Active Directory objects in the Active Directory namespace. Therefore, the
DNS host name for a computer is the same name as that is used for the
computer account that is stored in Active Directory. Note that the
Windows 2000 computer name is the relative distinguished name of the Active
Directory object. The DNS domain name, which is called the primary DNS
suffix, is also the same as the name of the Active Directory domain to which the
computer is joined.
In other words, a computer is represented in the DNS namespace and the Active
Directory namespace by the same name. For example, a computer named
Computer1 that is joined to the Active Directory domain named
training.microsoft.com has the following fully qualified domain name (FQDN):
computer1.training.microsoft.com
The integration of DNS and Active Directory is essential because a client
computer in a Windows 2000 network must be able to locate a domain
controller to use the services provided by Active Directory. To locate a domain
controller, a computer uses DNS to locate the IP address for a computer that
provides the required service within Active Directory.
In Windows 2000, the FQDN for a computer is also called the full
computer name.
Slide Objective
To describe how computers
and domains have a DNS
name and an Active
Directory name.
Lead-in
Because DNS and Active
Directory use identical
domain names, the same
DNS host name for a
computer is used for the
computer account that is
stored in Active Directory.
Key Points
The DNS host name for a
computer is the same name
that is used for the computer
account that is stored in
Active Directory.
The Windows 2000
computer name is the
relative distinguished name
of the Active Directory
object.
Note
Module 2: Implementing DNS to Support Active Directory 7
$
$$
$
DNS Name Resolution in Active Directory
!
SRV (Service) Resource Records
!
SRV Record Format
!
SRV Records Registered by Domain Controllers
!
How Computers Use DNS to Locate Domain Controllers
In addition to being identified by an FQDN in DNS and by a Windows 2000
full computer name, domain controllers are also identified by the specific
services that they provide. Windows 2000 uses DNS to locate domain
controllers by resolving a domain or computer name to an IP address. This is
accomplished by SRV (service) resource records, which map a particular
service to the domain controller that provides that service. The format of an
SRV record contains this information, as well as Transmission Control
Protocol/Internet Protocol (TCP/IP) specific information.
When a domain controller starts up, the Net Logon service running on the
domain controller uses the DNS dynamic update feature to register with the
DNS database the SRV records for all Active Directory–related services that the
domain controller provides. Therefore, a computer running Windows 2000 can
query a DNS server when it needs to contact a domain controller.
For more information about DNS name resolution in Active Directory,
see chapter 3, “Name Resolution in Active Directory” in the Distributed
Systems Guide in the Microsoft Windows 2000 Server Resource Kit.
Slide Objective
To introduce the topics
related to DNS name
resolution in Active
Directory.
Lead-in
Now that you understand
the relationship between the
DNS and Active Directory
namespaces, let’s discuss
how DNS is used to locate a
Windows 2000 domain
controller.
Note
8 Module 2: Implementing DNS to Support Active Directory
SRV (Service) Resource Records
!
SRV Records Allow Computers to Locate Domain Controllers
!
Information in SRV Records Maps DNS Computer Names to the
Service
!
Windows 2000 Uses SRV Records to Locate:
#
A domain controller in a specific domain or forest
#
A domain controller in the same site as a client computer
#
A domain controller configured as a global catalog server
#
A computer configured as a Kerberos KDC server
!
DNS Servers Use the Information in the SRV Record and the A
Resource Record to Locate Domain Controllers
For Active Directory to function properly, DNS servers must provide support
for SRV (service) resource records. SRV records allow client computers to
locate servers that provide specific services such as authenticating logon
requests and searching for information in Active Directory. Windows 2000 uses
SRV records to identify a computer as a domain controller. SRV records link
the name of a service to the DNS computer name for the domain controller that
offers that service.
SRV records also contain information that enables a DNS server to locate the
following:
!
A domain controller located in a specific Windows 2000 domain or forest.
!
A domain controller located in the same site as a client computer.
!
A domain controller that is configured as global catalog server.
!
A computer that runs the Kerberos Key Distribution Center (KDC) service.
SRV Records and A Resource Records
When a domain controller starts up, it registers SRV records, which contain
information about the services it provides, and an A resource record that
contains its DNS computer name and its IP address. A DNS server then uses
this combined information to resolve DNS queries and return the IP address of
a domain controller so that the client computer can locate the domain controller.
In Windows 2000, domain controllers are also referred to Lightweight
Directory Access Protocol (LDAP) servers because they run the LDAP service
that responds to requests to search for or modify objects in Active Directory.
Slide Objective
To explain that
Windows 2000 uses DNS
SRV records to locate
domain controllers.
Lead-in
In Windows 2000, SRV
resource records are used
to locate a computer that
provides a specific service.
Key Points
SRV records allow client
computers to locate servers
that provide specific Active
Directory services.
SRV records link the name
of a service to the DNS
computer name for the
domain controller that offers
that service.
Note
Module 2: Implementing DNS to Support Active Directory 9
SRV Record Format
_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 london.contoso.msft.
Field
Field
Field
Description
Description
Description
Service
Service
Specifies the name for the service
Specifies the name for the service
Protocol
Protocol
Indicates the transport protocol type
Indicates the transport protocol type
Name
Name
Specifies the domain name referenced by the resource record
Specifies the domain name referenced by the resource record
Ttl
Ttl
Specifies the standard DNS resource record Time to Live value
Specifies the standard DNS resource record Time to Live value
Class
Class
Specifies the standard DNS resource record class value
Specifies the standard DNS resource record class value
Priority
Priority
Specifies the priority of the host
Specifies the priority of the host
Weight
Weight
Specifies the load balancing mechanism
Specifies the load balancing mechanism
Port
Port
Shows the port of the service on this host
Shows the port of the service on this host
Target
Target
Specifies the FQDN for the host supporting the service
Specifies the FQDN for the host supporting the service
All SRV records use a standard format, which consists of fields that contain the
information used to map a specific service to the computer that provides the
service. SRV records use the following format:
_service_.protocol.name ttl class SRV priority weight port target
The following table describes each field in an SRV record:
Field Description
_Service Specifies the name of the service, such as LDAP or Kerberos,
provided by the server that registers this SRV record.
_Protocol Specifies the transport protocol type, such as TCP or User
Datagram Protocol (UDP).
Name Specifies the domain name referenced by the resource record.
Ttl Specifies the Time to Live (TTL) value (in seconds), which is a
standard field in DNS resource.
Class Specifies the standard DNS resource record class value, which is
almost always “IN” for the Internet system.
Priority Specifies the priority of the server. Clients attempt to contact the
host with the lowest priority.
Weight Denotes a load balancing mechanism that clients use when
selecting a target host. When the priority field is the same for two
or more records in the same domain, clients randomly choose
SRV records with higher weights.
Port Specifies the port where the server is “listening” for this service.
Target Specifies the fully qualified domain name (FQDN), which is also
called the full computer name, of the computer providing the
service.
Slide Objective
To describe the format of an
SRV record.
Lead-in
Let’s look at the format of an
SRV record, which contains
the information necessary to
locate domain controllers.
Key Point
An SRV record uses a
format that consists of fields
containing the information
used to map a specific
service to the computer that
provides the service.